Cunningham: Balance compliance, security to best manage IT risk

Send this to a friend

Thank you for sharing. Your email has been sent.

Email address of friend (insert comma between multiple addresses):

Your email address:

Copy Me

Add a brief note:

Kevin Cunningham, Guest Columnist

While no one in information technology can argue against the need to address compliance requirements mandated by an ever-increasing list of regulations, it’s important to remember that compliance is not an end goal in itself. Rather, it’s a means to effectively manage IT risk. Keeping risk management top of mind is especially important now as organizations face the challenges of more complex IT environments due to the proliferation of cloud and mobile technologies.

In an ideal world, there would be a strong correlation between reducing risk and addressing compliance requirements. Done correctly, compliance controls would be based on a risk analysis that balances the likelihood and potential cost associated with different types of security incidents.

Unfortunately, auditor requirements don’t always align to the areas of greatest risk in the organization. Without proper alignment, the result is a list of audit requirements that cost a lot of time and money and yet don’t mitigate business risk. This “check-box” approach to compliance is an easy trap to fall into and something that organizations should be careful to avoid.

Fortunately, in the world of identity and access management, or IAM, more and more organizations are taking a risk-based approach to compliance. To do that, user populations and IT resources need to be categorized according to the potential risk. Once categorized, controls can be designed to appropriately address the highest areas of risk with the highest degree of oversight — and the lowest degree of oversight over the areas that represent the lowest areas of risk. Compliance officers can then work hand-in-hand with their security counterparts to demonstrate to auditors that the appropriate controls are in place to address risk and compliance. Remember, most legislation driving compliance is not prescriptive — it is the interpretation of the auditor that determines what compliance really means.

Embrace risk-based IAM

In large organizations, assessing the risk of users based on their access privileges is a very daunting undertaking. There are hundreds — sometimes thousands — of on-premises systems, applications and databases, spanning cloud and datacenter environments. And the environment changes on a daily basis, with people joining, leaving or moving to new positions within the company. Assessing the risk associated with each user in these cases using manual methods is simply not possible.

To truly protect information assets from potential security incidents, organizations must embrace a risk-based approach to IAM, which enables them to align compliance polices and controls so that they reduce or mitigate the most likely causes of IT risk. Risk-based IAM helps organizations map their risk-management strategies for compliance by providing a centralized view into users and their access privileges. And it answers the critical questions: Who should have access to what? Who does have access to what? And how did they get it?

With this centralized view of an organization’s identity data, IT can then assess the effectiveness of IT controls, analyze risk associated with user access, and recommend appropriate changes to stay compliant.

Engage nontechnical staff

With a risk-based IAM strategy, organizations can also implement automated reviews of user access designed to engage nontechnical staff members from various lines of business who are in the best position to make that evaluation in the first place. This is critical in eliminating problem areas like orphan accounts and toxic combinations of access — key compliance violations often flagged by auditors.

By providing valuable business context and facilitating collaboration between business and technology groups, risk-based IAM provides organizations with a quick reporting system to be able to address auditor requests and ensure they are staying ahead of compliance requirements. And, importantly, this approach can help an organization move toward stronger accountability, policy alignment and transparency to ultimately be able to reap the full benefits that new technologies — from mobile to cloud — have to offer.

Kevin Cunningham is president and founder of SailPoint Technologies Inc., an Austin-based developer of governance-based identity and access management.

Comments

If you are commenting using a Facebook account, your profile information may be displayed with your comment depending on your privacy settings. By leaving the 'Post to Facebook' box selected, your comment will be published to your Facebook profile in addition to the space below.